Skip to main content

Security & Trust

Last Updated: July 2, 2026

1. Overview

Rogue Digital is a technical partner that both advises and builds, so security is part of how we work rather than a bolt-on. This page sets out, plainly and honestly, how we protect data across our own website and the systems we build and run for clients. We would rather tell you what is true today than claim a maturity we have not reached.

2. Company & Legal Basis

Rogue Digital Ltd (Company No. 15403136) is registered in England & Wales and operates under the UK GDPR and the Data Protection Act 2018. We are the data controller for information collected through this website (see our Privacy Policy). When we handle personal data on behalf of a client, we act as a data processor under a Data Processing Agreement (see our DPA & sub-processors page).

3. Hosting & Infrastructure

This website runs on Vercel's global edge platform and is served over HTTPS with TLS encryption in transit. Systems we build for clients run on established cloud providers selected per engagement (for example major cloud platforms), with encryption in transit and appropriate encryption at rest. We prefer managed, well-maintained infrastructure over bespoke servers so that patching and hardening are handled by specialists.

4. Access Control & Secrets

  • Least-privilege access: people and systems get only the access they need for the work in hand.
  • Secrets (API keys, credentials) are kept out of source code and stored in managed secret stores, not shared in plaintext.
  • Multi-factor authentication on the key accounts and platforms we operate.
  • Changes to production are reviewed before release, and destructive actions are gated behind explicit human confirmation.

5. Data Handling & Minimisation

We collect and process the least data needed to do the job. We do not sell personal data. Client data is used only to deliver the work we have been engaged to do, and is returned or deleted at the end of an engagement on request. Retention periods for website data are set out in our Privacy Policy.

6. AI & Client Data

Because we build AI and agentic systems, how client data meets AI models matters. We keep client and personal data out of model training, use enterprise or API tiers with no-training and appropriate retention settings, and design for the smallest set of data a task actually needs. Full detail is on our Responsible AI page.

7. Certifications & Security Reviews

In the interest of honesty: we are not currently ISO 27001 or SOC 2 certified. Where an engagement calls for a formal certification, a completed security questionnaire, a penetration test or specific contractual security commitments, we will meet those requirements and provide documentation of the controls we operate. If you have a vendor-security process, send it to us and we will work through it.

8. Data Processing & Sub-processors

When we process personal data on your behalf we enter into a Data Processing Agreement that meets UK GDPR Article 28, and we are transparent about the sub-processors involved. The providers we use, and how to request our DPA, are listed on our DPA & sub-processors page.

9. Incident Response

We take security incidents seriously. If a personal-data breach affects a client, we notify them promptly and support the obligation, where it applies, to report a qualifying breach to the Information Commissioner's Office within 72 hours. We prefer to fail loud and communicate early rather than hope a problem goes unnoticed.

10. Report a Security Issue

Found a vulnerability or a security concern? Please tell us. Email hello@roguedigital.ai with "Security" in the subject line and we will aim to acknowledge within two working days. Responsible disclosure is welcome and appreciated.

See also our Privacy Policy, DPA & sub-processors, and Responsible AI pages.